SOAR: Magic or Mundane?

When we think of Security Orchestration, Automation and Response (SOAR) nowadays (and we do think a lot about SOAR), we primarily think of this:

SOAR = security workflow + security orchestration + security automation [+ maybe knowledge management of playbooks and such]

(and, yes, a longer post that explains the above terms is coming too)

Now let me ask you this: is SOAR technology mostly about IMPROVED EFFICIENCY or is it about MAGIC [aka NEW CAPABILITIES]?

Clearly, a car is NOT an improved horse-drawn carriage, an iPhone is NOT an improved Blackberry – these technology advances delivered not just an improvement in some existing process (transportation, communication), but major new capabilities and even opened new realms of human endeavor and new areas of practice.

However, most of the examples of SOAR usage we’ve seen so far definitely fit into the improved efficiency bucket: process phishing emails faster, get malware sandboxing results into the incident case easier, etc. However, our analyst intuition tells us that the magic is there.

Where can we look for SOAR magic? – We will look for new security processes that are only possible with SOAR-style automation (or DIY or OSS tools of similar mission), we will look for useful security capabilities that are only achievable with SOAR, ways to do security operations differently because you have SOAR and other things of that sort. We hope some SOAR users and SOAR vendors will help too…

Finally, why do we look for magic here? This is why. Efficiency stuff just does not get adopted fast enough … and tends to linger in “1%-er land” for way too long.

Blog posts related to this topic: